Last week, thanks to investigative reporting, we learned that Facebook discovered in January that it was storing millions of users’ passwords in plain text format, making them fully readable for thousands of its employees. Facebook has acknowledged that this was a serious security error and privacy breach on its side, as its systems, ideally, “are designed to mask passwords using techniques that make them unreadable”, and promised that it “will be notifying everyone whose passwords we have found were stored in this way.” There is no evidence that any of the thousand employees with access to these unencrypted passwords actually accessed them, but Facebook’s decision to remain mum reveals an important lesson for the overarching privacy and security policy debate. Importantly, data security incidents are a widespread problem that goes well beyond Facebook.

We Don’t Have to Sacrifice User Safety and Convenience to Make App Stores Competitive

App stores, such as Google Play and Apple’s App Store, have been good for consumers and independent developers in a number of ways. When they work well, they provide consumers with a convenient way to find and buy software that is safe and functional. I remember when my non-technical friends would never install software on their PCs, assuming that it was all a scam or malware of some kind. Now these same people can confidently install, use, and uninstall apps without fearing that it will ruin their devices or steal their personal information. Again, this is when things are working right. There are always bad actors to be vigilant against, and different app store curators do their jobs more and less well.

Last week, the New York Times reported that Facebook has decided to integrate the back-end infrastructures of its three fully-owned messaging products: Facebook Messenger, WhatsApp, and Instagram. At Public Knowledge, aware of the different nature, features, and conditions of use of these three services, we are carefully following the possible privacy and security and competition implications of this market-changing move.

The First Tangible Effects of the GDPR

Over the past two weeks, you’ve probably received numerous privacy policy updates from online companies. For example, last week LinkedIn sent its users an e-mail informing them of changes to its Terms of Service and Privacy Policy, explaining, “[w]e now meet the high standard for data privacy introduced by the new European data protection law known as the General Data Protection Regulation (GDPR), which goes into effect later in May.”

Is the GDPR Right for the United States?

Europe’s new privacy law, the General Data Protection Regulation (GDPR) will enter into force in May 2018. Understandably, given that data breaches and privacy violations have been in the headlines lately — and given that the GDPR will reshuffle privacy protection in Europe and beyond — many in the United States are looking to the GDPR for ideas of what to do – and what not to do. We think that it would be impractical and ineffective to copy and paste the GDPR to U.S. law — the institutions and legal systems are just too different.